[rexreed]

For 2) you mean you loaded it from the adversary's proxy site, just to clarify?

[santah]

Yes, constructed the honeypot URL using the proxy site and called it (thousands of times) so I can get them to fetch it from my server through their IP so I can log it.

[WirelessGigabit]

They literally proxy your website? I thought they'd cache it... that makes more sense now in your statement that you hit their website with a specially formatted url. Since they pass that through to you you can filter on that.

Also: since you say 4k-5k IPs... any of them from cloud providers? And specific location?

[santah]

No cloud providers as far as I'm aware.

They were all from the same 4-5 ASN networks, all based in Russia.

[adventured]

If you happen to use Cloudflare.... Cloudflare -> Firewall rules -> Russia JS Challenge (or block)

[justsomehnguy]

Residential proxy botnet.

[tofuahdude]

Why do they bother doing this domain proxy stuff in the first place?

[justsomehnguy]

High quality content with a good standing in Google => unique and quality impressions => more revenue from the ads they insert in the content.

[everybodyknows]

Also for (2), any worries that your own providers might imagine you're trying to mount some half-baked DOS campaign?

[santah]

Wasn't really worried about that.

I didn't do it as a super quick burst, but in a space of multiple hours.

First because the proxy servers were super slow and second - I couldn't automate it - their servers had some kind of bot detection which would catch me calling the URLs through script.

Instead, I installed a browser extension which would automatically reload a browser tab after specified timeout (I've set it to 10 sec or something) and I opened like 50 tabs of the honeypot URL and left it there to reload for hours ...

[RektBoy]

Look out as this is not optimal.

Since they will fingerprint your browser. But it looks like they were people with low IQ, so you were fine.